It's a cliche by now, the availability of such code means two things: You can test with some accuracy whether you're vulnerable, and real-world black hat exploits will be out there fairly soon, if not already. This vulnerability can be invoked simply by viewing a web page in Internet Explorer or some app that uses IE to render HTML.

Note that it's Windows 2000 and Windows XP which are basically vulnerable, and then only in some cases. IE8 turns on DEP (Data Execution Prevention) by default, and protected mode in Vista and Windows 7 are standard as well. DEP blocks the vulnerability itself; Protected mode blocks the exploit. It may be possible to write an exploit that gets around protected mode, but this is an academic question, since all protected mode systems also support DEP as well.

It's also true that, depending on how it's set up, Vista with IE7 may not have DEP turned on by default. Such users should be protected from the actual exploits by protected mode, but you can turn on DEP following the instructions in the SRD blog.

So putting Windows 2000 aside for the moment, the only vulnerable platform, as a practical matter, is Windows XP, and only for IE6 and IE7. IE7 is a bit of a wild card, as the exploits used in Aurora and the proof of concept both are sensitive to memory layouts and only work on IE6. Researchers insist that IE7 should be as exploitable, but they have to build a separate exploit for it and just haven't done it yet.

The primary moral of the story is that defense-in-depth has once again showed its value, as a serious vulnerability was blocked by a systemic defense. Users who keep their software up to date are protected against attack, more often than not. If you were to run any of the non-vulnerable configurations and turn off DEP or protected mode you would once again be vulnerable, but who's fault would that be?

The other moral of the story is that if you're using IE6, you really ought to move on: Go to Firefox, go to Chrome (it's my primary browser now), or upgrade to IE8, but running IE6 is like putting a big "Hack Me!" sign on your back.